cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3444
Views
0
Helpful
28
Replies

EasyVPN and Pix501-Pix501-Problem

Hi,

I have a problem with my two Pix501.

I want that one of them is the EasyVPN Server and the other one is the EasyVPN Remote Client.

I configured everything like it is shown at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

In my testenvironment I have my "normal" network 192.168.0.0/24 that is at the outside interface of the two pixes. The EasyVPN Servers-network is 192.168.1.0/24 the otherone is 192.168.2.0/24.

My problem is, that the two pixes don't connect.

Here are the configs:

EasyVPN Server:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.3.1-192.168.3.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.1.200
vpngroup mygroup wins-server 192.168.1.200
vpngroup mygroup default-domain cisco.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4967199c613b5553f9bc5aaa09aa02b3
: end

Client:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.0.220
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80
Cryptochecksum:3caebce68a73c906150eb011e7b18f8a
: end

Does anyone has an idea why it doesn't work?

Thanks,

Kriss

2 Accepted Solutions

Accepted Solutions

ok, thanks for the test and great to hear software vpn client works fine. That eliminates the vpn server from the problem.

You would also need to add the following on the client:

vpnclient nem-st-autoconnect

vpnclient  connect

View solution in original post

Yes, you would need to add the following ACL:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.120.0 255.255.255.0

and also add this if vpn client is behind PAT device: isakmp nat-traversal 25

You would need to reconnect with your vpn client after the above changes.

View solution in original post

28 Replies 28

Jennifer Halim
Cisco Employee
Cisco Employee

Which phase does it break?

Can you share the output of "show crypto isa sa" and "show crypto ipsec sa".

Also, please collect output of "debug cry isa" and "debug crypto ipsec" so check where it's breaking.

Hi

At the EasyVPN server:

kr01icr02# show crypto isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created


and

kr01icr02# show crypto ipsec sa


interface: outside
    Crypto map tag: mymap, local addr. 192.168.0.220

At the second pix:
kr01icr03(config)# show crypto isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
kr01icr03(config)# show crypto ipsec sa

kr01icr03(config)#

The debug-commands generate no output on the second (remote) pix. Even if I disable the vpnclient with "no vpnclient enable" and enable it again with "vpnclient enable"

So it seems like the client does not initiate the connection, correct?

You might want to enable logging on the PIX:

Depending on whether you console or ssh to the PIX:

logging on

logging console debugging

logging terminal debugging

Then turn on the debug:

debug crypto isa

debug crypto ipsec

Then disable and enable the vpnclient.

Are you able to ping the server from the client? from the remote PIX, ping 192.168.0.220?

Last resort, you might want to check with packet capture on the remote PIX just to confirm whether it initiates the VPN connection. You should see UDP/500 packet to start with for Phase 1.

Hi, yes I can ping the server from the client and the client from the server too.

The logging does not show any requests from the pixes.

There are only messages like this from different PCs but no message shows the IP of the other pix.

710005: UDP request discarded from 192.168.0.105/138 to outside:192.168.0.255/netbios-dgm
710005: UDP request discarded from 192.168.0.115/137 to outside:192.168.0.255/netbios-ns

So I still can't see that the client tries to connect to the server

I tried to connect to the server with the cisco software-VPN-Client and this works (the connection itselves). If I connect, there is much output in the console at the server.

ok, thanks for the test and great to hear software vpn client works fine. That eliminates the vpn server from the problem.

You would also need to add the following on the client:

vpnclient nem-st-autoconnect

vpnclient  connect

Ah, wonderful!

Now there is any traffic. But it seems that there is the next problem.

The servers says:

crypto_isakmp_process_block:src:192.168.0.221, dest:192.168.0.220 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3307215273
ISAMKP (0): received DPD_R_U_THERE from peer 192.168.0.221
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

The client says:

ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.220, dest:192.168.0.221 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
        spi 0, message ID = 248407712
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.220
return status is IKMP_NO_ERR_NO_TRANS

The message appears every few seconds (~8) at both Pixes.

A ping to the other pix/device in the other subnet is not possible.

Can you please share the output of:

show crypto isa sa

show crypto ipsec sa

Hi,

at the client:

kr01icr03(config)# show crypto isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   192.168.0.220    192.168.0.221    QM_IDLE         0           6
kr01icr03(config)#

kr01icr03(config)# show crypto ipsec sa
interface: outside
    Crypto map tag: _vpnc_cm, local addr. 192.168.0.221

   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 192.168.0.220:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 468, #pkts encrypt: 468, #pkts digest 468
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.221, remote crypto endpt.: 192.168.0.220
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 7ed32d4e

     inbound esp sas:
      spi: 0xbeae2329(3199083305)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26412)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x7ed32d4e(2127768910)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607972/26403)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.0.221/255.255.255.255/0/0)
k  remote ident (addr/mas
/IprSot/pAoKrt): M(P1 9(2.0168).:1 .s0e/2n5d5i.255.25n5g. 0/0N/O0)T
I  FcuYr rmeents_pseear:g 192e.16 83.601.2203:65 0p0r
g   t oPcERMIoT,l  f1la                               o
s={orcirgyipnt_ios__aicsl,}
a  k m p#_pkpts renocapsc: 0e, s#pskts_ ebnlcorycpkt: :0s, r#pckt:s dig1e9s2t 0.
   1 #6pkts 8dec.aps: 00, .#p2kt2s0 d,e cdryepts: 0t, :#1p9kts2 .ve1ri6f8y 0.
d: 0 #.p2k2ts 1c osmpprets:se5d:0 00, #p ktds pdetcom:p5r0ess0e
   I0S
K M P  #(p0k)ts n:o t pcromporecsessed: s0,i n#gp kNtOsT comIpFrY.  fapilaeyd: 0l,o a#dp k3ts6 d1ec3o7m prpesrso failetdo:c o0
  1                  l
        #ssenpd eirro rs 00, ,#re cmve serrsoargse 0

.D     =lo c3al 0cry9p2t0o 0e7n9dpt.8: 1192
16I8.S0A.2M2K1P,  re(m0o)te:  crreycpetoi evndpet.d: 19 2D.P168D.0.2_2R0_
U   _ T pHaEtRh mEt_uA C15K00 , fiprsoemc  ovpeerheeadr  72,1 m9ed2ia .mt1u6 81.5000.
   0                                                                                 2
  crureretnt uoutrbnound  sspti: a3tf0u089s7 8

i s   I KinbMoPu_nNd eOs_pE RsasR:
_  N   O sp_iT:R A0x5N7Se2aac3(1474472643)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26430)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x3f008978(1056999800)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26430)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


kr01icr03(config)#

at the Server:

kr01icr02(config)# show crypto isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   192.168.0.220    192.168.0.221    QM_IDLE         0           6
kr01icr02(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: mymap, local addr. 192.168.0.220

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 192.168.0.221:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 504, #pkts decrypt: 504, #pkts verify 504
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.220, remote crypto endpt.: 192.168.0.221
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: beae2329

     inbound esp sas:
      spi: 0x7ed32d4e(2127768910)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607950/26224)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xbeae2329(3199083305)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26226)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.221/255.255.255.255/0/0)
   current_peer: 192.168.0.221:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.220, remote crypto endpt.: 192.168.0.221
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 57e2aac3

     inbound esp sas:
      spi: 0x3f008978(1056999800)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26201)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x57e2aac3(1474472643)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26201)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


kr01icr02(config)#

Great... phase 1 is up (QM_IDLE), and phase 2 is up too.

On the client, the packets got encrypted, and it is decrypted on the server end, however, there is no encrypt on the server, which means there is no return traffic.

How do you try to access LAN behind the server? Are you trying to ping? which ip address did you ping? also, pls make sure that the host that you are trying to access or ping does not have any firewall that might be blocking the inbound access.

You can also add "management-access inside" and try to ping the PIX server inside ip address (192.168.1.1) from the client LAN. That would be successfull.

ok, it works!

It was a problem with some routes at pcs at the client side.

Thank you very very very much for your help!

Great to hear it's working now.

Please kindly mark the post answered and rate useful post. Thanks.

Hi,

ok, my Pix501 to Pix501 Connection via EasyVPN works.

I'm so happy

Now I tried to connect a second client-Pix to my "network".

So I have the EasyVPN-Server Pix and two EasyVPN-Client Pixes.

Both of them can connect to the server and both of them are reaching the server-Subnet (192.168.1.0).

From the serversubnet I reach the client subnets (192.168.2.0 and 192.168.3.0).

From the clientsubnots I reach the server subnet, but not the other client-subnet.

Is there an option I don't see like "vpnclient client-client-communication"?

Thanks again!

No, with Easy VPN connections, you won't be able to communicate between the clients.

If you would like to communicate between client, I would suggest that you configure LAN-to-LAN tunnel instead of Easy VPN tunnels.

What a pitty, but this is not such a bad thing.

My next problem:

When I connect to my EasyVPN-Server with the Software-Client, then I get an IP, can ping the EasyVPN-Server but nothing else. I can't ping any device in this network. The EasyVPN-Server can.